BSD ftpd单字节缓冲区溢出漏洞

BSD ftpd单字节缓冲区溢出漏洞

漏洞ID 1106142 漏洞类型 未知
发布时间 2000-12-18 更新时间 2005-05-02
图片[1]-BSD ftpd单字节缓冲区溢出漏洞-安全小百科CVE编号 CVE-2001-0053
图片[2]-BSD ftpd单字节缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200102-049
漏洞平台 Unix CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/20512
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200102-049
|漏洞详情
源自4.xBSD的FTP服务器实现包含一个严重漏洞,可以远程获取root权限。在replydirname()函数中存在单字节缓冲区溢出,此时会覆盖修改被保存的EBP寄存器,当replydirname()函数返回的时候,主调函数中EBP寄存器值被设置成修改后的值。如果主调函数不受此影响并开始正常返回,由于EBP寄存器值已经是修改后的值,提取用于返回的EIP寄存器值的时候并不是从正常位置提取,如果相关栈区在攻击者控制下,程序流程发生变化,此时可以继续采用传统缓冲区溢出技术进一步获取root权限。如果系统支持匿名可写目录,比如存在incoming目录,该漏洞很容易成功。缺省情况下溢出条件不满足。此外,OpenBSD缺省情况下FTP服务是关闭的。
|漏洞EXP
source: http://www.securityfocus.com/bid/2124/info

The ftp daemon derived from 4.x BSD source contains a serious vulnerability that may compromise root access.

There exists a one byte overflow in the replydirname() function. The overflow condition is due to an off-by-one bug that allows an attacker to write a null byte beyond the boundaries of a local buffer and over the lowest byte of the saved base pointer.

As a result, the numerical value of the pointer decreases (and it thus points to a higher location (or lower address) on the stack than it should) and when the replydirname() function returns, the modified saved base pointer is stored in the base pointer register. When the calling function returns, the return address is read from an offset of where the base pointer points to. With the last byte of the base pointer zero, this will be a location other than where it should be.

If this region of the stack is under the control of the attacker, such as the local variable which contained the extra byte in the first place, an arbitrary address can be placed there that will be used as the saved return address by the function.

This is the case in ftpd. It is possible for an attacker to force the ftp daemon to look in user-supplied data for a return address and then execute instructions at the location as root.

This vulnerability can be exploited on systems supporting anonymous ftp if a writeable directory exists (such as an "incoming" directory). This is rarely in place by default.

It should noted that OpenBSD ships with ftp disabled, though it is an extremely commonly used service. 

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/20512.tar.gz
|参考资料

来源:XF
名称:bsd-ftpd-replydirname-bo
链接:http://xforce.iss.net/static/5776.php
来源:BID
名称:2124
链接:http://www.securityfocus.com/bid/2124
来源:OPENBSD
名称:20001218
链接:http://www.openbsd.org/advisories/ftpd_replydirname.txt
来源:BUGTRAQ
名称:20001218TrustixSecurityAdvisory-ed,tcsh,andftpd-BSD
链接:http://archives.neohapsis.com/archives/bugtraq/2000-12/0275.html
来源:NETBSD
名称:NetBSD-SA2000-018
链接:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-018.txt.asc

相关推荐: Cerulean Studios Trillian Client 0.74 MSN Module – Remote Buffer Overflow

Cerulean Studios Trillian Client 0.74 MSN Module – Remote Buffer Overflow 漏洞ID 1054591 漏洞类型 发布时间 2004-09-08 更新时间 2004-09-08 CVE编号 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享